Answer given by Ms Jourová on behalf of the European Commission

27.8.2018

The General Data Protection Regulation (GDPR) applies as from 25 May 2018[1]. The GDPR provides that processing by a processor shall be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller.[2] The GDPR further provides that such contract or legal act shall be in writing, including in electronic form[3].

Without prejudice to the powers of the Commission as guardian of the Treaties, the monitoring and enforcement of the application of data protection legislation falls primarily under the competence of national authorities, in particular data protection authorities and courts.

However, the rules for entering into contracts or other legal acts, including in electronic form, are not set forth in the GDPR but in other EU and/or national legislation. The e-commerce Directive (Directive 2000/31/EC) provides for the removal of legal obstacles to the use of electronic contracts. It does not harmonise the form electronic contracts can take. In principle, automated contract processes are lawful. It is not necessary to append an electronic signature to contracts for them to have legal effects. E-signatures are one of several means to prove their conclusion and terms.

A legal act may be an ordinance or other type of administrative decision whereby controllers vested in public authority may stipulate the conditions for processing personal data on their behalf.

• [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.
• [2] Article 28(3) GDPR.
• [3] Article 28(9) GDPR.